From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: [Fwd: [squid-announce] Squid 4.1 is available] Date: Thu, 05 Jul 2018 16:55:19 +0200 Message-ID: <1cc95aa3-7bb0-230d-dc24-76b0f8b20e4a@ipfire.org> In-Reply-To: <9aa23d5a-0f10-2508-a2c5-707b78193f9d@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6162689616014424678==" List-Id: --===============6162689616014424678== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, Found something, see below. On 04.07.2018 20:52, Matthias Fischer wrote: > On 04.07.2018 18:43, Michael Tremer wrote: >> On Wed, 2018-07-04 at 17:04 +0200, Matthias Fischer wrote: >>> On 04.07.2018 16:57, Michael Tremer wrote: >>> > On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote: >>> > > Hi, >>> > >=20 >>> > > On 04.07.2018 11:12, Michael Tremer wrote: >>> > > > Squid 4.1 has been released. >>> > >=20 >>> > > Yep. >>> > >=20 >>> > > > @Matthias: As far as I remember, you have been working on updating = squid >>> > > > before. >>> > > > Will you have a look at this? >>> > >=20 >>> > > I'm "looking at it" right now. ;-) >>> > >=20 >>> > > When I came home, Devel was ready. >>> > >=20 >>> > > First compiled version (32bit) is running here. No seen problems. >>> > >=20 >>> > > But today they released the first patch >>> > > (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd740723= 10c3b >>> > > 018f >>> > > 4b6a5b5c6be4816f72166.patch). >>> > > Great... >>> > >=20 >>> > > I think we're not affected ("There is a Segfault when opening long UR= Ls >>> > > if Bump is enabled and the on_unsupported_protocol option is set. Pro= xy >>> > > mode is transparent.") but to be complete, I'd like to include this o= ne. >>> > >=20 >>> > > This requires a clean build (~5:30 hours). Patched version will be re= ady >>> > > tomorrow. Ok? >>> >=20 >>> > No hurry at all. I guess this already shows us that we should not migra= te to >>> > squid 4, yet. There are still many bugs in it. But what we need to do i= s to >>> > review the proxy.cgi and see if the configuration file is valid and make >>> > changes >>> > if required. >>>=20 >>> Im testing the squid4-branch since ~4.0.22, 'squid -k parse' hasn't >>> shown an error since then, except this one - and I can't find the reason: >>>=20 >>> "WARNING: Ignoring error setting default trusted CA : An unimplemented >>> or disabled feature has been requested." >>=20 >> Did you go through the changelog to identify any configuration options tha= t you >> might not be using and which have been discontinued? >=20 > Yes, but I didn't find an option or something in the squid conf - with > MY eyes - that could me to the culprit. >=20 > What I found: > That warning is triggered by 'PeerOptions.cc': >=20 > ... > if (!flags.tlsDefaultCa) > return; >=20 > if (const char *err =3D loadSystemTrustedCa(ctx)) { > debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting > default trusted CA : " << err); > } > ... >=20 > Which leads me to: >=20 > ... > loadSystemTrustedCa(Security::ContextPointer &ctx) > { > debugs(83, 8, "Setting default system Trusted CA. ctx=3D" << > (void*)ctx.get()); > #if USE_OPENSSL > if (SSL_CTX_set_default_verify_paths(ctx.get()) =3D=3D 0) > return Security::ErrorString(ERR_get_error()); >=20 > #elif USE_GNUTLS > auto x =3D gnutls_certificate_set_x509_system_trust(ctx.get()); > if (x < 0) > return Security::ErrorString(x); > ... >=20 > Perhaps we should add ---without-gnutls'? >=20 > Since SSL is already disabled that is the only option I can think of and > it clearly is found by 'squid': >=20 > ... > checking for LIBGNUTLS... yes > checking gnutls/gnutls.h usability... yes > checking gnutls/gnutls.h presence... yes > checking for gnutls/gnutls.h... yes > checking gnutls/x509.h usability... yes > checking gnutls/x509.h presence... yes > checking for gnutls/x509.h... yes > checking gnutls/abstract.h usability... yes > checking gnutls/abstract.h presence... yes > checking for gnutls/abstract.h... yes > configure: GnuTLS library support: auto -lgnutls > ... >=20 After adding 'without-gnutls' and another clean build, warning is gone. New version is running. Best, Matthias --===============6162689616014424678==--